Authorize internal network communication between ECS instances for different accounts through the API

This topic describes how to authorize internal network communication between ECS instances
for different accounts in the same region.

Background

You can authorize internal network communication in either of the following modes:

Communication between ECS instances: You can authorize internal network communication
between two ECS instances that belong to the same account.

Communication between accounts: You can authorize internal network communication between
all ECS instances that belong to two different security groups within the same region,
including those purchased after authorization.

Note To enable internal network communication between different accounts, you can authorize
communication between security groups in each account. Then, ECS instances in the
security groups can communicate over the internal network. Modifying security group
configurations will affect all ECS instances in a security group, as well as services
running on these ECS instances. Use caution when performing this operation.

Limits

Security groups are virtual firewalls for ECS instances. Security groups do not provide
communication and networking capabilities. After you authorize internal network communication
between instances in different security groups, ensure that the instances can establish
internal network communication.

If all instances are of the classic network type, they must be in the same region.

Prerequisites

Alibaba Cloud CLI is used to call ECS APIs. Make sure that you have installed Alibaba Cloud CLI and configured it for use.

Authorize internal network communication between ECS instances

Query the internal IP addresses and security group IDs of the two ECS instances.

You can obtain the IDs of the security groups to which the ECS instances belong through
the console or by calling the DescribeInstances operation. The following table lists the information of two ECS instances.

In the preceding examples, region ID cn-qingdao is for reference only. Replace it with the actual region ID.

In the preceding examples, the AuthorizeSecurityGroup operation is called to add security group rules. The key parameters for this operation
include SecurityGroupId, SourceGroupId, and SourceGroupOwnerAccount.

Wait for a short period of time and run the ping command to check whether the ECS instances in two security groups can communicate
with each other over the internal network.